Bablu Dutt Kumaran, Senior Lead at a software R&D company with 1,001-5,000 employees, points out that as far as future improvements, “The Visual Studio plugin seems to hang when a scan is run on big projects. I would expect some improvements there. Also, the comments added on each issue were getting lost on multiple iterations of scans, which could be fixed.”

“For manual code testing, Checkmarx has been very helpful discarding false positives, filtering and removing a lot of files that are not presenting any threat, as well as indicating the files or functions that should be focused upon.

Checkmarx acts as the first checkpoint during our consulting for apps that are looking for a security assessment or Penetration Testing.”

For Abhishek Pratap Singh, a Security Test Engineer at a tech vendor with 1,001-5,000 employees, beneficial improvements would be addressing that “the resolutions should also be provided.

For example, if the user faces any problem regarding an installation due to the internal security policies of their company, there should be a resolution offered.”

#3 Veracode

Ranked by IT Central Station users as the number three application security testing solution, Veracode is described by this security consultant at a tech company with 501-1,000 employees as having:

Later on in his review, this same user adds that “The organization of the assets was a little confusing and overwhelming. The system could also use some work in pivoting from a VM scan to add the servers with web applications exposed to the WAS server. It frequently created WAS assets that did not have web applications.”

Not listing any IAST/RASP solutions, such as Contrast Security, seems very wrong. The tools listed here generate tons of false alarms, don't work on APIs, and aren't compatible with modern software development (Agile/DevOps).